Amazon EC2 and Amazon Virtual Private Cloud

Amazon Virtual Private Cloud (Amazon VPC) enables you to define a virtual network in your own logically isolated area
within the AWS cloud, known as a virtual private cloud (VPC). You can launch your
AWS resources, such as instances, into your VPC. Your VPC closely resembles a traditional network that
you might operate in your own data center, with the benefits of using AWS's scalable infrastructure.
You can configure your VPC; you can select its IP address range, create subnets, and configure route tables,
network gateways, and security settings. You can connect instances in your VPC to the Internet. You can
connect your VPC to your own corporate data center, making the AWS cloud an extension of your data center.
To protect the resources in each subnet, you can use multiple layers of security, including security groups
and network access control lists. For more information, see the Amazon VPC User Guide.

Your account may support both the EC2-VPC and EC2-Classic platforms, on a region-by-region
basis. If you created your account after 2013-12-04, it supports EC2-VPC only. To find out which
platforms your account supports, see Supported Platforms. If your accounts supports EC2-VPC only, we create a
default VPC for you. A default VPC is a VPC that is already configured
and ready for you to use. You can launch instances into your default VPC immediately. For more
information about your default VPC, see Your Default
VPC and Subnets in the Amazon VPC User Guide. If your account supports
EC2-Classic and EC2-VPC, you can launch instances into either platform.

We select a single private IP address for your instance; multiple IP addresses are not
supported.

You can assign multiple private IP addresses to your instance.

You can assign multiple private IP addresses to your instance.

Elastic IP address

An EIP is disassociated from your instance when you stop it.

An EIP remains associated with your instance when you stop it.

An EIP remains associated with your instance when you stop it.

DNS hostnames

DNS hostnames are enabled by default.

DNS hostnames are enabled by default.

DNS hostnames are disabled by default.

Security group

A security group can reference security groups that belong to other AWS
accounts.

You can create up to 500 security groups in each region.

A security group can reference security groups for your VPC only.

You can create up to 100 security groups per VPC.

A security group can reference security groups for your VPC only.

You can create up to 100 security groups per VPC.

Security group association

You can assign an unlimited number of security groups to an instance
when you launch it.

You can't change the security groups of your running instance. You
can either modify the rules of the assigned security groups, or replace
the instance with a new one (create an AMI from the instance, launch
a new instance from this AMI with the security groups that you need,
disassociate any Elastic IP address from the original instance and
associate it with the new instance, and then terminate the original instance).

You can assign up to 5 security groups to an instance.

You can assign security groups to your instance when you launch it and
while it's running.

You can assign up to 5 security groups to an instance.

You can assign security groups to your instance when you launch it and
while it's running.

Security group rules

You can add rules for inbound traffic only.

You can add up to 100 rules to a security group.

You can add rules for inbound and outbound traffic.

You can add up to 50 rules to a security group.

You can add rules for inbound and outbound traffic.

You can add up to 50 rules to a security group.

Tenancy

Your instance runs on shared hardware.

You can run your instance on shared hardware or single-tenant hardware.

You can run your instance on shared hardware or single-tenant hardware.

Accessing the Internet

Your instance can access the Internet. Your instance automatically receives a
public IP address, and can access the Internet directly through the AWS network
edge.

By default, your instance can access the Internet. Your instance receives a public IP
address by default. An Internet gateway is attached to your default VPC, and your
default subnet has a route to the Internet gateway.

By default, your instance cannot access the Internet. Your instance doesn't receive a
public IP address by default. Your VPC may have an Internet gateway, depending on how
it was created.

The following diagram shows instances in each platform. Note the following:

Instances C1, C2, C3, and C4 are in the EC2-Classic platform. C1 and C2 were launched by
one account, and C3 and C4 were launched by a different account. These instances can
communicate with each other, can access the Internet directly.

Instances V1 and V2 are in different subnets in the same VPC in the EC2-VPC platform. They
were launched by the account that owns the VPC; no other account can launch instances in
this VPC. These instances can communicate with each other and can access instances in
EC2-Classic and the Internet through the Internet gateway.

Sharing and Accessing Resources Between
EC2-Classic and EC2-VPC

Some resources and features in your AWS account can be shared or accessed between the
EC2-Classic and EC2-VPC platforms, for example, through ClassicLink.
For more information about ClassicLink, see ClassicLink.

A linked EC2-Classic instance can use a VPC security groups through ClassicLink to
control traffic to and from the VPC. VPC instances can't use EC2-Classic security groups.

You can't migrate a security group from EC2-Classic to a VPC. You can copy rules from
a security group in EC2-Classic to a security group in a VPC. For
more information, see Creating a Security Group.

Snapshot

The following resources can't be shared or moved between EC2-Classic and a VPC:

Spot Instances

Instance Types Available Only in a VPC

Instances of the following instance types are not supported in EC2-Classic and
must be launched in a VPC:

C4

M4

T2

If your account supports EC2-Classic but you have not created a nondefault VPC, you can do one
of the following to launch a VPC-only instance:

Create a nondefault VPC and launch your VPC-only instance into it by specifying a subnet ID
or a network interface ID in the request. Note that you must create a nondefault VPC
if you do not have a default VPC and you are using the AWS CLI, Amazon EC2 API, or Amazon EC2 CLI
to launch a VPC-only instance. For more information, see
Create a Virtual Private Cloud (VPC).

Launch your VPC-only instance using the Amazon EC2 console. The Amazon EC2 console creates
a nondefault VPC in your account and launches the instance into the subnet in the
first Availability Zone. Note that the console creates the VPC with the following attributes:

One subnet in each Availability Zone, with the public IP addressing attribute
set to true so that instances receive a public IP address. For
more information, see IP Addressing in Your VPC in the Amazon VPC User Guide.

An Internet gateway, and a main route table that routes traffic in the VPC
to the Internet gateway. This enables the instances you launch in the VPC
to communicate over the Internet. For more information, see
Internet Gateways
in the Amazon VPC User Guide.

A default security group for the VPC and a default network ACL that is associated
with each subnet. For more information, see Security in Your VPC in the
Amazon VPC User Guide.